CloudTrust Protocol Orientation and Status

Transcription

1 CloudTrust Protocol Orientation and Status June 2011 Ron Knode CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 1

2 CloudTrust Protocol Orientation Topics Why is it? What is it? transfer to CSA {Strong} connection to CloudAudit Existing plans & strategies Things for the CSA/CloudAudit to resolve other stuff CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 2

3 The Value Equation in the Cloud Security + Transparency = Compliance & Trust VALUE Captured (delivering evidence-based confidence with compliance-supporting data & artifacts) Source: CSC CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 3

4 The Transfer Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol ( Version 2.0 see reference #2 below) Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CSC representative as co-chair of CSA s Working Group CSA to include an acknowledgement that CSC is the original developer of the in any published materials (including electronic publication) that mention the Free, unrestricted use of derivative works by CSC References 1. See Digital Trust in the Cloud, August 2009, digital_trust_in_the_cloud 2. See Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0), July 2010, CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 4

5 Research Conclusions Summary Initial Results August 2009 The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns. The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing. Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving. CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency. Resist the temptation to jump into even a socalled secure cloud just to save money. Aim higher! Jump into the right trusted cloud to create and capture new enterprise value. digital_trust_in_the_cloud Or at CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 5

6 CloudTrust Protocol Revealed (Research extension detailing what and how July 2010) Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers. The CloudTrust Protocol () offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency. The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques. Transparency-as-a- (TaaS) using the provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status responding to both cloud user and cloud provider needs. Transparency protocols like the must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. into_the_cloud_with_ctp CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 6

7 V2.0 (next updates will be published through the Cloud Security Alliance) Syntax Semantics Self-defined response (no insistence on orthodoxy) Asset model Scope of response Implementation/deployment options Extension CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 7

8 A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack CloudTrust Protocol () Included Within CSA GRC Stack Government Specs Extensions Commercial??? Deliver continuous monitoring required by A&A methodologies Continuous monitoring with a purpose Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers??? Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments FedRAMP DIACAP Other C&A standards Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist NIST , HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST , SAS 70, The recommended foundations for controls Fundamental security principles in assessing the overall security risk of a cloud provider CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 8

9 CloudTrust Protocol () Transparency as a (TaaS) Reclaiming Digital Trust Across Security, Privacy, and Compliance Needs SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, NIST , ISO27001, CAG, ENISA, CSA V2.3, Responding to all elements of transparency TaaS Enterprise CSC Trusted Community Cloud Cloud Trust Response Manager (CRM) TaaS Dashboard TaaS Private Trusted Cloud Cloud Trust Agent Downstream compliance processing Responding to all elements of transparency CloudTrust Protocol Orientation Ron Knode to CSA Using reclaimed visibility into the cloud to confirm security and create digital trust Source: 6 June 2011 Page 9

10 Transparency-as-a- (TaaS) Turn on the lights you need when you need them Authorized TaaS Users What does my cloud computing configuration look like right now? Where are my data and processing being performed? Who has access to my data now? Who has had access to my data? What audit events have occurred in my cloud configuration? What vulnerabilities exist in my cloud configuration? CloudTrust Protocol () Elements of Transparency 1 23 Private Cloud Other Public Clouds CSC Trusted Cloud Transparencyas-a- (TaaS) CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 10

11 Elements of Transparency in the 6 Types Initiation Policy Introduction Provider assertions Provider notifications Evidence requests Client extensions Families Configuration Vulnerabilities Anchoring Anchoring Audit log Management Statistics Only 23 in total in the entire protocol Elements Geographic Platform Process CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 11

12 CloudTrust Protocol Pathways Mapping the Elements of Transparency in Deployment Admin & Ops Specs Transparency Requests Extensions Assertions Evidence Affirmations Configuration definition: 20 Security capabilities and operations:17 Configuration & vulnerabilities: 3,4,5,6,7 Anchoring: 8, 9, 10 (geographic, platform, process) SCAP CloudAudit.org SCAP Sign / sealing Session start: 1 Session end: 2 Alerts: 18 Users: 19 Anchors: 21 Quotas: 22 Alert conditions: 23 Violation: 11 Audit: 12 Access: 13 Incident log: 14 Config/control: 15 Stats: 16 Consumer/provid er negotiated: CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 12

13 CloudTrust Protocol V2.0 Syntax Based on XML Traditional RESTful web service over HTTP Source: CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 13

14 Elastic Characteristics of the Cloud Consumers Cloud Providers Transparency-as-a- Legend: Provider dimension Deployment dimension Source: CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 14

15 Multiple Styles of Implementation The is machine and human readable In-band RESTful Web CloudTrust Protocol RESTful Web Cloud Provider Trust Evidence (elements of transparency) Out-of-band RESTful Web CloudTrust Protocol RESTful Web Cloud Provider Trust Evidence (elements of transparency) Source: CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 15

16 Scope of TaaS Enterprise or Client-specific Enterprise RESTful Web CloudTrust Prtocol RESTful Web Cloud Provider Trust Evidence (elements of transparency) Client-specific RESTful Web CloudTrust Protocol Clientdeployed application Cloud Provider Client Trust Evidence (partial elements of transparency) Source: CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 16

17 Undecided s Evidence Request category integrity and liability verification technique Attest to the content, provenance, and imputability of the response (with legal import) Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered E.g, Surety AbsoluteProof technique Final namespace Trust package correlation with all contributing (traditional) security services Identity store for transparency service authorizations CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 17

18 Undecided s EoT extension technique Characteristics of specification Degree of automation Business constructs and back office issues, e.g., SLA foundations Concepts of operation Terms & Conditions recommendations Transparency operator training and operations monitoring CloudTrust Protocol Orientation Ron Knode to CSA 6 June 2011 Page 18

19